Allow JSON Web Keys that don't specify an explicit "use" and add Slack to the list of supported providers

3 years ago · ff3f5efbc8
5 changed files with 44 additions and 8 deletions
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
@ -110,6 +110,11 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                    context.Configuration.GrantTypesSupported.Add(GrantTypes.Implicit);
                }

+                else if (context.Registration.ProviderName is Providers.Slack)
+                {
+                    context.Configuration.GrantTypesSupported.Add(GrantTypes.RefreshToken);
+                }
+
                return default;
            }
        }
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@ -710,6 +710,14 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                context.Request["duration"] = options.Duration;
            }

+            // Slack allows sending an optional "team" parameter to simplify the login process.
+            else if (context.Registration.ProviderName is Providers.Slack)
+            {
+                var options = context.Registration.GetSlackOptions();
+
+                context.Request["team"] = options.Team;
+            }
+
            return default;
        }
    }
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@ -345,6 +345,21 @@
             Description="The value used as the 'duration' parameter (can be set to 'permanent' to retrieve a refresh token)" />
  </Provider>

+  <!--
+                                              ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                              ██ ▄▄▄ ██ ████ ▄▄▀██ ▄▄▀██ █▀▄██
+                                              ██▄▄▄▀▀██ ████ ▀▀ ██ █████ ▄▀███
+                                              ██ ▀▀▀ ██ ▀▀ █ ██ ██ ▀▀▄██ ██ ██
+                                              ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Slack" Documentation="https://api.slack.com/authentication/sign-in-with-slack">
+    <Environment Issuer="https://slack.com/" />
+
+    <Setting PropertyName="Team" ParameterName="team" Type="String" Required="false"
+             Description="The value used as the 'team' parameter (allowing to bypass the login screen if the user is already authenticated in the specified workspace)" />
+  </Provider>
+
  <!--
                                      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                      ██ ▄▄▄ ██ ▄▄ ██ ▄▄▄ █▄▄ ▄▄█▄ ▄██ ▄▄▄██ ███ ██
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs
@ -912,13 +912,17 @@ public static partial class OpenIddictClientHandlers

                for (var index = 0; index < keys.Count; index++)
                {
-                    // Note: the "use" parameter is defined as optional by the specification.
-                    // To prevent key swapping attacks, OpenIddict requires that this parameter
-                    // be present and will ignore keys that don't include a "use" parameter.
+                    // Note: the "use" parameter is defined as optional by the JWKS specification
+                    // but is required by the OpenID Connect discovery specification if both signing
+                    // and encryption keys are present in the returned list. If the "use" parameter
+                    // is not explicitly specified or has an empty value, assume it is a signing key.
+                    //
+                    // For more information, see https://www.rfc-editor.org/rfc/rfc7517#section-4.2
+                    // and https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.
                    var use = (string?) keys[index][JsonWebKeyParameterNames.Use];
                    if (string.IsNullOrEmpty(use))
                    {
-                        continue;
+                        use = JsonWebKeyUseNames.Sig;
                    }

                    // Ignore security keys that are not used for signing.
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs
@ -511,13 +511,17 @@ public static partial class OpenIddictValidationHandlers

                for (var index = 0; index < keys.Count; index++)
                {
-                    // Note: the "use" parameter is defined as optional by the specification.
-                    // To prevent key swapping attacks, OpenIddict requires that this parameter
-                    // be present and will ignore keys that don't include a "use" parameter.
+                    // Note: the "use" parameter is defined as optional by the JWKS specification
+                    // but is required by the OpenID Connect discovery specification if both signing
+                    // and encryption keys are present in the returned list. If the "use" parameter
+                    // is not explicitly specified or has an empty value, assume it is a signing key.
+                    //
+                    // For more information, see https://www.rfc-editor.org/rfc/rfc7517#section-4.2
+                    // and https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.
                    var use = (string?) keys[index][JsonWebKeyParameterNames.Use];
                    if (string.IsNullOrEmpty(use))
                    {
-                        continue;
+                        use = JsonWebKeyUseNames.Sig;
                    }

                    // Ignore security keys that are not used for signing.